SASL + PAM doesn't work

[harry]

Using SASL and PAM does not work. The problem is, I think, the call `(ctx->cb)(sx_sasl_cb_GET_PASS, ...)' from _sx_auxprop_lookup() in sasl_cyrus.c. But the PAM module does not support get_password() function.

Is this a bug, or is it just not possible to use SASL + PAM? In the latter case this should really be documented somewhere.

[smoku]

Please read wiki:PAM

[harry]

c2s _has_ read access to /etc/shadow. Also, PAM authentication works using the traditional authentication method, just not with SASL.

[smoku]

Well. That's a bit strange.

Cyrus is not supported SASL backend, so I will not look at it. Although I will reopen the ticket. If somebody is able to provide a fix, I will gladly integrate it.

[smoku]

On a side note. Do you remember, that authentication against PAM is possible only with PLAIN?

This is the hashed-storage-plain-wire vs. plain-storage-hashed-wire case.

[harry]

Replying to smoku:

Well. That's a bit strange.

Not at all. As I've written in my initial report, cyrus_sasl calls get_password(), which is not suppported by the PAM module.

Cyrus is not supported SASL backend, so I will not look at it.

I was not aware of that. Which one should be used?

I've tried to use scod, but it doesn't compile. Is it supposed to work?

Now I'm trying gsasl. But this produces a seg fault. Here's the problem: In order for PAM authentication to be usable, the realm has to be set to "". Now when _c2s_client_sx_callback() (c2s.c) is called with event event_PACKET, a new jid is created:

229: jid_t jid = jid_new(sess->c2s->pc, sess->s->auth_id, -1);

However, sess->s->auth_id is now "foo@". Thus jid_new returns NULL, which triggers the SEGV in

247: if (jid_reset_components(jid, jid->node, jid->domain, resource_buf) == NULL) {

gdb output with backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7abe6b0 (LWP 1720)]
0x08050db5 in _c2s_client_sx_callback (s=0x809bcc0, e=event_PACKET, data=0x809ffa0, arg=0x807e658)
    at c2s.c:247
247                         if (jid_reset_components(jid, jid->node, jid->domain, resource_buf) == NULL) {
(gdb) bt
#0  0x08050db5 in _c2s_client_sx_callback (s=0x809bcc0, e=event_PACKET, data=0x809ffa0, arg=0x807e658)
    at c2s.c:247
#1  0x0805b2fd in __sx_event (file=0x8071ffe "io.c", line=134, s=0x809bcc0, e=event_PACKET, data=0x809ffa0)
    at sx.c:329
#2  0x080586d9 in _sx_process_read (s=0x809bcc0, buf=0x809f758) at io.c:134
#3  0x08058aa8 in sx_can_read (s=0x809bcc0) at io.c:218
#4  0x08051e70 in _c2s_client_mio_callback (m=0x8081270, a=action_READ, fd=0x809bae0, data=0x0, 
    arg=0x807e658) at c2s.c:513
#5  0x080617a3 in _mio_run (m=0x8081270, timeout=5) at mio_impl.h:256
#6  0x08056648 in main (argc=4, argv=0xbfe4e444) at main.c:673

I've also attached a debug log.

jid should be checked for NULL in any case to prevent a SEGV. Also the jid generation should be fixed somehow to allow jids without realm. There was a related bug here: http://jabberd2.xiaoka.com/ticket/17.

regards h.

[harry]

I've prepared a patch to fix this problem. In case the realm is not set, the value req_to is appended to the jid, just like with traditional authentication. I hope this is correct in this case.

Also, the jid is checked for NULL, just in case.

[smoku]

Ah-Ha! I had a feeling that [244]/#17 would came up somehow. :-)

And it hit the part of GSASL implementation I wasn't sure if is correct. I think your changes makes it for the better.

(And yes, SCOD is broken with 2.1. I've resurected it only for reference and in hope that someone would have a will to fix it.)

[smoku]

(In [437]) Fixes #155 - PAM + SASL problems